Send us your blog for consideration!

Who can put a stop to data breaches?

By Rose Oswald Poels, Wisconsin Bankers Association

(page 1 of 2)

As more and more data breaches occur, every participant in the U.S. payment system must equally share the responsibility and liability associated with these events. Retailers, card networks, processors, and banks must work hand-in-hand and on a level playing field in order to protect consumers. It’s time to target those who are truly responsible for data breaches: the criminals stealing credit and debit card information.

After a breach, the refrain from retailers is “consumers will not be responsible for any fraudulent charges to their accounts.” While that is absolutely true, retailers aren’t responsible for those fraudulent charges either. It is the banks in Wisconsin and across the nation that shield their customers from the financial harm caused by data breaches. It is as simple as this: When a breach occurs, banks bear the brunt of the costs so their customers won’t have to.

Industry experts can’t determine the extent of the harm to consumers and banks from the Home Depot data breach yet, but we only have to look back at Target’s recent data breach for a glimpse of how bad it could be. That particular data breach resulted in 40 million compromised credit and debit cards, and financial institutions eventually replaced an estimated 21.8 million cards. Not taking into account the cost incurred by fraudulent activity on those cards (which the bank protected consumers from), the toll to the financial industry was $200 million. Home Depot’s breach impacted 56 million cards and will undoubtedly have a worse effect on everyone involved.

Banks dedicate hundreds of millions of dollars annually to data security while adhering to strict regulatory requirements. It’s time for retailers to step up their efforts just as banks, card networks, and processors have in keeping consumers safe. Criminals are becoming increasingly smart and sophisticated in their approach to stealing credit and debit card data. The only way to protect consumers and stop these offenders is for the entire payment systems industry to focus on prevention rather than simply react after the fact.

Both the card issuing and the merchant side of the industry absorb fraud losses after breaches. It's a matter of the type of data compromised.

Breaches will continue and will probably escalate until security for the card data is taken out of the hands of merchants. This can only be done in card present environments with a combination of hardware point-to-point encryption (in which the card data is encrypted at the very point of contact with the card reader) and tokenization which negates the need for a merchant to store card data.

Technologies such as EMV and Applepay are not broad solutions. Technology such as Host Card Emulation (HCE) is promising because it could help secure all card acceptance (retail & e-commerce) without the need to change terminals and, via cloud hosting, has the promise of layering as many factors of customer authentication as desired via a smart phone (PIN, fingerprint, geo-location, MAC or sdn, etc).

We cannot stop hackers from getting into networks, any networks, at this time. We can only make the data useless to them.

Oct 7, 2014 09:06 pm

Posted by
Anonymous

Are my calculations off, or does the article invoke an almost $10 cost to mail replacement card to a consumer ($200MM at 21.8MM cards)? If that is case, then I think someone needs to take a look at what must be an inefficient process of card fulfillment.

This page requires javascript. It seems that your browser does not have Javascript enabled. Please enable Javascript and press the Reload/Refresh button on your browser.